-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
key format specification is inconsistent #33
Comments
Thanks for pointing this out, I'm completely against adding Regarding the So I think we should remove it in the reference implementation, unless I'm missing a good reason (@SantiagoTorres?). |
Chiming in since I'm noticing the same issue as well -- the spec doesn't mention From a practical perspective it's likely not an issue if different ecosystems product different key IDs for the same key material, but as currently written the spec sounds declarative in how keys should be formatted, but the existing implementations don't match up (this is even more so for GPG keys -- see #56). Ideally, I think that one of the following things should be done:
|
I'd also prefer not to add it to the spec. I wondered if we wanted to allow additional fields but that's also going to lead to more incompatibility. I'm in favour of removing it from the implementations and making certain assumptions there instead. Can we track this in the implementations? cc @lukpueh |
👍 secure-systems-lab/securesystemslib#308 should be helpful to create more succinct issues of in python-tuf and in-toto. |
Closing in favour of the sslib issue, feel free to reopen if we need to have a spec discussion as well! |
@adityasaky revisiting this, it looks like there's still drift between the "implementations" in this org and the spec itself. Section 4.2.1 of v1.0 of the in-toto spec is now unambiguous about the key format and key ID derivation:
...
However, the Java, Go, and Rust implementations all use the deprecated (and now undocumented/not part of the spec) field Although removing this field from the computation will change the key IDs generated by those implementations, it seems like it should be done to resolve ambiguity and make those implementations match the spec as declared in v1.0 -- otherwise, other implementations that adhere to the spec will actually not match these implementations. |
I think updating those specifications is worthwhile, though we're working on consolidating -golang with witness and go-witness. This shouldn't affect verifying old links against old layouts as the keyids would be internally consistent, but I suppose this breaks new links (post implementation update) verified against old layouts? I don't recall if the key ID is only used as a hint with a fallback option. cc @lukpueh |
Hi there,
Right now our specification specifies the following key format:
Source: https://github.com/in-toto/docs/blob/master/in-toto-spec.md#42-file-formats-general-principles
However, if you generate a new ed25519 key with
in-toto-keygen.py
you will end up with the following private and public key.private:
public:
In the public key the keyID is missing. Is this on purpose?
The text was updated successfully, but these errors were encountered: